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1.Task 1 

You are asked to prepare a VMware NSX-T Data Center ESXi compute cluster 
Infrastructure. You will prepare two ESXi servers in a cluster for NSX-T overlay and 
VLAN use. 

All configuration should be done using the NSX UI. 

e NOTE: The configuration details in this task may not be presented to you in the 
order in which you must complete them. 

e Configure a new Transport Node profile and add one n-VDS switch. Ensure 
Uplink1 and Uplink 2 of your configuration use vmnic2 and vmnic3 on the host. 


Configuration detail: 


Name RegionA0l-COMPOlI-TNP 

Type n-VOS switch 

Mode: standard 

n-VOS Switch Name N-VOS-1 

Transport Zones TZ-Overlay-!) and TZ-VLAN-} 

NIOC profile nsx-default-nioc-hostswitch-profile 
Uplink Profile RegionA0l-COMPO0}1-UP 

LLOP Profile LLOP [send packet disabled) 

IP Assignment TEP-Pool-02 


Hint: The Transport Zone configuration will be used by another administrator at a later time. 
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e Configurea new VLAN backed transport zone. 
Configuration detail: 
e Configurea new uplink profile for the ESXi servers. 
Configuration detail: 
Name RegionA0l-COMPO0}1-UP 
Teaming Policy: Load Balance source 
Active adapters Uplink! and Uplink2 
Transport VLAN o 
e Configure a new IP Pool for ESXi overlay traffic with 
Configuration detail: 
Name TEP-Pool-02 
IP addresses range 192.168.130.71 - 192.166.130.74 
CIOR 192.168.130.0/24 
Gateway 192.168.130.1 


e Using the new transport node profile, prepare ESXi cluster RegionAOl-COMPO! for NSX Overlay and VLAN use. 


Complete the requested task. 

NOTE: Passwords are contained in the user_readme.txt. Configuration details may 
not be provided in the correct sequential order. Steps to complete this task must be 
completed in the proper order. Other tasks are dependent on the completion Of this 
task. You may want to move to other tasks/steps while waiting for configuration 
changes to be applied. This task should take approximately 20 minutes to complete. 
See the Explanation part of the Complete Solution and step by step instructions. 
Answer: 

To prepare a VMware NSX-T Data Center ESXi compute cluster infrastructure, you 
need to follow these steps: 

- Log in to the NSX Manager UI with admin credentials. The default URL is 
https://<nsx-manager-ip-address>. 

- Navigate to System > Fabric > Profiles > Transport Node Profiles an@click Add 
Profile. P 

- Enter a name and an optional description for the transport nodesgrofile. 

- In the Host Switches section, click Set and select N-VDS as ine host switch type. 

- Enter a name for the N-VDS switch and select the mode a®’Standard or Enhanced 
Datapath, depending on your requirements. Ra 

- Select the transport zones that you want to associatæwith the N-VDS switch. You 
can select one overlay transport zone and one or Wore VLAN transport zones. 

- Select an uplink profile from the drop-down mefu or create a custom one by clicking 
New Uplink Profile. ns 

- In the IP Assignment section, select Use JP Pool and choose an existing IP pool 
from the drop-down menu or create a new one by clicking New IP Pool. 

- In the Physical NICs section, map {he uplinks to the physical NICs on the host. For 
example, map Uplink 1 to vmnic nd Uplink 2 to vmnics3. 

- Click Apply and then click Saxe to create the transport node profile. 

- Navigate to System > Fabre > Nodes > Host Transport Nodes and click Add Host 
Transport Node. av 

- Select vCenter Servgřas the compute manager and select the cluster that contains 
the two ESXi servers that you want to prepare for NSX-T overlay and VLAN use. 

- Select the trangport node profile that you created in the previous steps and click 
Next. 

- Review the configuration summary and click Finish to start the preparation process. 
The preparation process may take some time to complete. You can monitor the 
progress and status of the host transport nodes on the Host Transport Nodes page. 
Once the preparation is complete, you will see two host transport nodes with a green 
status icon and a Connected state. You have successfully prepared a VMware NSX-T 
Data Center ESXi compute cluster infrastructure using a transport node profile. 


2.Task 12 
An issue with the Tampa web servers has been reported. You would like to replicate 


and redirect the web traffic to a network monitoring tool outside Of the NSX-T 
environment to further analyze the traffic. 

You are asked to configure traffic replication to the monitoring software for your 
Tampa web overlay segments with bi-directional traffic using this detail: 


Session Name Network-Monitor-01 
Network Appliance Name/ Croup NM-01 
Direction Bi Directional 
TCP/IP Stack: Default 
Encapsulation Type: GRE 
, Ñ 
Complete the requested configuration. ð 


Notes: Passwords are contained in the user_readme.txt. Thigtask is not dependent 
on other tasks. This task should take approximately 10 mistites to complete. 

See the Explanation part of the Complete Solution and $fep by step instructions. 
Answer: 40” 

To configure traffic replication to the monitoring software for your Tampa web overlay 
segments with bi-directional traffic, you need tg-follow these steps: 

- Log in to the NSX Manager UI with admingtedentials. The default URL is 
https://<nsx-manager-ip-address>. Pm 

- Navigate to Networking > Segment d select the Tampa web overlay segment 
that you want to replicate the traffigérom. For example, select Web-01 segment that 
you created in Task 2. o 

- Click Port Mirroring > Set > Aĝa Session and enter a name and an optional 
description for the port migofing session. For example, enter Tampa-Web-Monitoring. 
- In the Direction section Select Bi-directional as the direction from the drop-down 
menu. This will replicate both ingress and egress traffic from the source to the 
destination. roe 

- In the Sourcegéction, click Set and select the VMs or logical ports that you want to 
use as the source of the traffic. For example, select Web-VM-01 and Web-VM-02 as 
the source VMs. Click Apply. 

- In the Destination section, click Set and select Remote L3 SPAN as the destination 
type from the drop-down menu. This will allow you to replicate the traffic to a remote 
destination outside of the NSX-T environment. 

- Enter the IP address of the destination device where you have installed the network 
monitoring software, such as 10.10.10.200. 

- Select an existing service profile from the drop-down menu or create a new one by 
clicking New Service Profile. A service profile defines the encapsulation type and 
other parameters for the replicated traffic. 


- Optionally, you can configure advanced settings such as TCP/IP stack, snap length, 
etc., for the port mirroring session. 

- Click Save and then Close to create the port mirroring session. 

You have successfully configured traffic replication to the monitoring software for your 
Tampa web overlay segments with bi-directional traffic using NSX-T Manager UI. 


3.Task 5 

You are asked to configure a micro-segmentation policy for a new 3-tier web 
application that will be deployed to the production environment. 

You need to: 


e Configure Tags with the following configuration detail: 


Tag Name Member 
Boston Boston-web-Ola, Boston-web-02a, Boston-app-Ola, Boston-db-Ola 
Boston-Web Boston-web-Ola, Boston-web-02a 
Boston-App Boston-app-Ola 
Boston-DB Boston-db-Ola 


e Configure Security Groups (use tags to define group criteria) with the following configuration detail: 


Boston 
Boston Web-Servers 
Boston App-Servers 


Boston OB-Servers 


e Configure the Distributed Firewall Exclusion List with the following configuration detail: 


Lira 


Virtual Machine core 


e Configure Policy & DFW Rules with the following configuration detail: 


Policy Name Boston-Web-Application 
Applied to Boston 
New Services TCP-8445, TCP-3051 


e Policy detail: 


Rule Name Source Destination Service Action 
Any-to-Web Any Boston Web-Servers HTTP.HTTPS ALLOW 
Web-to-App Boston Web-Servers Boston App-Servers TCP-8443 ALLOW 
App-to-DB Boston App-Servers Boston OB-Servers TCP-305) ALLOW 
Pa 
Notes: * 


Passwords are contained in the user_readme.txt. o not wait for configuration 
changes to be applied in this task as processing’may take some time. The task steps 
are not dependent on one another. Subsequent tasks may require completion of this 
task. This task should take approximately®&5 minutes to complete. 
See the Explanation part of the Complete Solution and step by step instructions. 
© 

P 
4.Task 15 Ka 
You have been asked to enable logging so that the global operations team can view 
inv Realize Log Insight tát their Service Level Agreements are being met for all 
network traffic that ising in and out of the NSX environment. This NSX environment 
is an Active / Activgđwo Data Center design utilizing N-VDS with BCP. You need to 
ensure successfil logging for the production NSX-T environment. 
You need to: 
- Verify via putty with SSH that the administrator can connect to all NSX-Transport 
Nodes. You will use the credentials identified in Putty (admin). 
- Verify that there is no current active logging enabled by reviewing that directory is 
empty -/var/log/syslog 
- Enable NSX Manager Cluster logging 
- Select multiple configuration choices that could be appropriate success criteria 
- Enable NSX Edge Node logging 
- Validate logs are generated on each selected appliance by reviewing the 
"/var/log/syslog” 


Complete the requested task. 

Notes: Passwords are contained in the user _ readme.txt. complete. 

These task steps are dependent on one another. This task should take approximately 
10 minutes to complete. 

See the Explanation part of the Complete Solution and step by step instructions. 
Answer: 

To enable logging for the production NSX-T environment, you need to follow these 
steps: 

- Verify via putty with SSH that the administrator can connect to all NSX-Transport 
Nodes. You can use the credentials identified in Putty (admin) to log in to each 
transport node. For example, you can use the following command to connect to the 
sfo01w01en01 edge transport node: ssh admin@sfo01w01en01. You should see a 
welcome message and a prompt to enter commands. X 

- Verify that there is no current active logging enabled by reviewing, Ha at directory is 
empty -/var/log/syslog-. You can use the Is command to list the fHgS i in the 
/var/log/syslog directory. For example, you can use the followig command to check 
the sfo01w01en01 edge transport node: Is /var/log/syslog. Xu should see an empty 
output if there is no active logging enabled. Ra 

- Enable NSX Manager Cluster logging. You can use he search_web("NSX Manager 
Cluster logging configuration")tool to find some information on how to configure 
remote logging for NSX Manager Cluster. One gP the results is NSX-T Syslog 
Configuration Revisited - vDives, which provides the following steps: 

- Navigate to System > Fabric > Profiles zode Profiles then select All NSX Nodes 
then under Syslog Servers click +ADD 5" 

- Enter the IP or FQDN of the syslog $è rver, the Port and Protocol and the desired 
Log Level then click ADD sè 

- Select multiple configuration għoices that could be appropriate success criteria. You 
can use the search_web(" -T logging success criteria")tool to find some 
information on how to vexify and troubleshoot logging for NSX-T. 

Some of the possible gticcess criteria are: 

- The syslog server, ceives log messages from all NSX nodes 

- The log messages contain relevant information such as timestamp, hostname, 
facility, severity, 

message ID, and message content 

- The log messages are formatted and filtered according to the configured settings 

- The log messages are encrypted and authenticated if using secure protocols such 
as TLS or LI-TLS 

- Enable NSX Edge Node logging. You can use the search_web("NSX Edge Node 
logging configuration")tool to find some information on how to configure remote 
logging for NSX Edge Node. One of the results is Configure Remote Logging - 
VMware Docs, which provides the following steps: 

- Run the following command to configure a log server and the types of messages to 
send to the log server. Multiple facilities or message IDs can be specified as a comma 


delimited list, without spaces. 
set logging-server <hostname-or-ip-address [:port]> proto <proto> level <level> 
[facility <facility>] [messageid <messageid>] [Serverca <filename>] [clientca 
<filename>] [certificate <filename>] [key <filename>] [structured-data <structured- 
data>] 
- Validate logs are generated on each selected appliance by reviewing the 
"/var/log/syslog”. You can use thecatortailcommands to view the contents of the 
/var/log/syslog file on each appliance. For example, you can use the following 
command to view the last 10 lines of the sfo01w01en01 edge transport node:tail -n 10 
/var/log/syslog. You should see log messages similar to this: 
2023-04-06T12:34:56+00:00 sfo01w01en01 user.info nsx-edge[1 234]: 
2023-04-061T12:34:56Z nsx-edge[1234]: INFO: [nsx@6876 comp="nsx-edge" 
subcomp="nsx-edge" level="INFO" security="False"] Message from ngx-edge 
You have successfully enabled logging for the production NSX-T eqyronment. 
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